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We discuss aspects of secure quantum communication by proposing and analyzing a 
quantum analog of the Vernam cipher (one-time-pad). The quantum Vernam cipher 
uses entanglement as the key to encrypt quantum information sent through an inse- 
cure quantum channel. First, in sharp contrast with the classical Vernam cipher, the 
quantum key can be recycled securely. We show that key recycling is intrinsic to the 
quantum cipher-text, rather than using entanglement as the key. Second, the scheme 
detects and corrects for arbitrary transmission errors, and it does so using only local op- 
erations and classical communication (LOCC) between the sender and the receiver. The 
application to quantum message authentication is discussed. Quantum secret sharing 
schemes with similar properties are characterized. We also discuss two general issues, 
the relation between secret communication and secret sharing, the classification of secure 
communication protocols. 
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1. Introduction 

Recent developments in quantum information theory have brought many surprises in cryp- 
tology. A partial list includes an efficient quantum algorithm for factoring ^ which can 
break the condition for security in many cryptographic protocols, unconditionally secure 
quantum key distribution protocols ^'3'^'^, and a no-go theorem for unconditionally secure 
quantum bit commitment Cryptographic protocols for quantum information are also 
being developed. For examples, see Refs. 8, 9, 10, 11, 12, 13. 

Emerging from these interesting results are important open questions on what quantum 
mechanics admits and prohibits in cryptography and the reasons why. This paper reports 
partial progress along this direction, by analyzing a proposed "quantum Vernam cipher" 
which encrypts a quantum plain-text to a quantum cipher-text using entanglement as a 
"key" . The proposed scheme is a quantum analog of various existing schemes, including 
the classical Vernam cipher (one-time-pad) in which all of the plain-text, the cipher-text, 
and the key are classical, the eavesdrop-detecting channel in which the plain-text and 
the key are classical but the cipher-text is quantum, and the private quantum channel ^'^ 
in which the plain-text and the cipher-text are quantum but the key is classical. 
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One intriguing property of the quantum Vernam cipher is that the key can be recycled 
securely using test and purification procedures for entanglement ^'^^ a comparison, 
key recycling is insecure in the classical Vernam cipher but secure in the eavesdrop- 
detecting channel These observations suggest that the security of key recycling comes 
from the possibility to detect eavesdropping in the quantum cipher-text, rather than using 
entanglement as a key. We give further support to this suggestion by modifying the private 
quantum channel to securely recycle the classical key. 

Another intriguing property of the quantum Vernam cipher is the ability to correct 
for any damage on the transmitted quantum state. Moreover, the correction procedure 
involves only classical communication between the sender and the receiver. These can be 
explained by the theory of quantum secret sharing ^O'li. Quantum secret sharing schemes 
with similar properties are characterized. We discuss general connections between secret 
communication and secret sharing, and apply the connections to other secret communica- 
tion schemes. 

As suggested by the above results, and in concert with our effort to relate cryptographic 

properties to various elements in cryptographic schemes, we classify existing schemes ac- 
cording to the classical or quantum nature of the communication channel and the key 
(the resources) and the plain-text (the application), and consider the security of key recy- 
cling and reliability for each class. Besides the schemes mentioned above, teleportation 
superdense coding and key distribution protocols are also included. 

Secure key recycling and reliability are closely related to message authentication. We 
briefly discuss applications of our analysis to the authentication of quantum messages 12,13 

Despite the fact that entanglement is recycled in the quantum Vernam cipher, we find 

that, given the same resources, secure quantum communication can be more efficiently 
realized by distributing entanglement and then teleporting the state. We emphasize that 
our main goal is to understand and analyze security in quantum protocols; our proposed 
cipher and the comparisons with other schemes are tools for doing so. 

This paper is structured as follows. The quantum Vernam cipher is described in Sec- 
tion 2 following the reviews of private key encryption and the private quantum channel. 
Eavesdropping and error correction strategies are explained in Section 3. Key recycling is 
analyzed in Section 4. The connections between secret communication and secret sharing 
are discussed in Section 5. We conclude with a classification of secure communication pro- 
tocols, some applications of the analysis to authentication, and some open questions. For 
completeness, various relevant cryptographic schemes are described in Appendices A, C, 
and D. 

1.1. Definitions and Assumptions 

In communication problems, the sender, the receiver, and any adversary (such as an 



^ A recent article has independently reported using entanglement as a recyclable quantum key to conceal 
classical information. The application to encrypt quantum information was suggested but not accom- 
pUshed 1*. 
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eavesdropper) are traditionally called Alice, Bob, and Eve respectively. For simplicity in 
notation and in the proofs, we make the following assumptions throughout the paper. 

• Channel noise and logical errors are negligible. 

• Alice and Bob have a 2-way classical broadcast channel. Hence classical communica- 
tion is public but unjammable and authenticated (not forged or tampered with). 

• Alice and Bob may also be given a quantum channel or entanglement. Such quantum 
channel is assumed insecure, while the given entanglement is pure and authenticated. 

The two quantum resources are inequivalent. Entanglement can be converted to a secure 
quantum channel by teleportation (see Appendix A). A quantum channel which is insecure 
can establish "mixed entanglement" , but further test and distillation procedures ^^'^ are 
needed to establish pure entanglement. 

2. Concealing Ciphers 

In this section, we describe the quantum Vernam cipher. We first review basic notions in 

private key encryption, using the classical Vernam cipher, the cavcsdrop-detccting chan- 
nel, and the private quantum channel as examples. These examples also motivate the 
construction of the quantum Vernam cipher. We concentrate on the ability to conceal the 
communicated secret from an eavesdropping adversary. Other aspects of security will be 
discussed later. 

2.1. Private key encryption 

In secret classical communication using private key encryption, Alice and Bob share a 
secret string K, called the "key" , which encrypts (locks) a message M from Eve during 
transmission and decrypts (opens) M for Bob afterwards. 

For example, in the Vernam cipher a random n-bit key K is used to encrypt an 
n-bit message M (also known as the plain-text). Alice sends a cipher-text C = M ® K 
to Bob, where ® denotes bitwise XOR (addition modulo 2). Bob decodes by calculating 
C ® K = M . Shannon proved that ^'^ the Vernam cipher is absolutely secure'}' C is 
random and independent of M when K is random and unknown. Shannon also proved 
that absolute security requires the entropy (thus the length) of K to be at least n. Thus 
reusing a key, even with privacy amplification compromises security when previously 
transmitted cipher-text might have been tapped. 

As another example, we consider a simple case of the eavesdrop-detecting channel 
Let r be a security parameter. An n-bit classical plain-text M is encrypted with two 
(n-l-r)-bit classical keys Ki,K2 into a gwanfMrn cipher-text as follows. Alice concatenates 
M with r random subset parities of M to form M' . She sends each bit of K\ © M' in the 
basis {|0), |1)} or {|-|-), |— )} depending on each bit of K2. After Bob receives and decodes 
the cipher-text, Alice announces the random subsets. The decoded message is accepted 



A cipher is absolutely secure if C and M are independent. 
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only if all the subset parities are correct. The security has been analyzed for the intercept- 
resend attack. When I bits of the cipher-text have been intercepted, the probability to 
have no inconsistencies in the subset parities is no more than (|)', and the keys can be 
reused with privacy amplification. The security against a more general attack, and bounds 
on the information gain by Eve is not available in the literature. A similar analysis for a 
different scheme is presented in Sec. 4.2. 



2.2. Private quantum channel 



We motivate the quantum Vernam cipher by reviewing the following canonical example of 

the private quantum channel which uses a classical key to encrypt a quantum plain- 
text to a quantum cipher text. For simplicity, we call the canonical example the private 
quantum channel. Let 



I = 



X = 



Z = 





-1 



zx = 



(1) 



denote the 2x2 identity and three "Pauli matrices". To send one quantum bit (qubit) 

given by the density matrix p, Alice and Bob share a 2-bit key K = (fci, fc2). Alice applies 
Z'^^X''^ to p and sends to Bob the resulting "cipher-text" p' = Z''^ X''^ pX''^ Z''^ , which is 
decoded by Bob by applying X'^'^Z''^. From Eve's point of view, Alice is sending p, XpX, 
ZpZ, and ZXpXZ at random; she sees a mixture | which is independent of p. To send 
an n-qubit state p, the 1-qubit scheme is applied bitwise. Lot K he a 2n-bit classical key 
with i-th bit ki. Let Xi and Zi denote X and Z acting on the i-th qubit. Alice sends to 
Bob p' = UkP U]^, where Uk = 0^ . Bob apphes C/^ to recover p from p' . Eve 

sees a mixture of uniformly distributed possible states: 

y^UKpU],= l;I^\ (2) 



22n 

K 



2" 



which is independent of p.*^ It was also proved in Ref. 8 that H{K) > 2n is necessary to 
completely randomize an arbitrary p. A schematic diagram is given in Fig. 1. 



A_ 
~A 



B_ 



Fig. 1. The private quantum channel. Time runs from left to right. The symbols A. B, and 
E stand for Alice, Bob, and Eve and denote the owners of the registers. Double lines represent 
classical bits. X and Z are applied to the quantum state if their respective classical control bits 
equal 1. These conventions are assumed throughout the paper. 



Equation (2) can be derived using the Pauli decomposition of p: each nontrivial component anticommutes 
with half of the Uk and vanishes in the sum, leaving only the identity term. 
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2.3. The quantum Vemam cipher 

We use entanglement as the key in our quantum Vernam cipher. The fundamental unit 
of entanglement is an "cbit". Alice and Bob arc said to share an chit if each possesses 
one qubit of a known maximally entangled state of two qubits, such as the EPR states 
1$^) = -^(100) ± |11)). The procedure to transmit one qubit using two ebits is summa- 
rized in Fig. 2. 



P 




Fig. 2. The quantum Vernam cipher to send one qubit. 



The registers in Fig. 2 are labeled by ai, a2, bi, 62, and m. The two registers ai,6i are 
initially in the state l^*"*"), and so arc 02, 62- The registers ai, 02 belong to Alice and bi, 62 
belong to Bob all the time. The register m initially carries the message p and belongs to 
Alice. Alice applies a controlled-X (cnot) from ai to m and a controlled-Z (cz) from 02 to 
m and sends m to Bob. We assume Eve takes control of m during the transmission. When 
Bob receives m, he applies a cz from 62 to m, followed by a CNOT from bi to m to recover 
p. To send an n-qubit state p, the one-qubit protocol is applied bitwise. We show that the 
quantum Vernam cipher is a purification of the private quantum channel, superposing all 
possible key states: The key registers (0,1, fei, • • • , a2„, 62^) have initial state |(J)+)'^2n_ -p^g_ 
ordering the qubits as (ai, • • • , a2n, bi, - ■ ■ , b2n), the initial key state ^rr J2k 1-^)1-^)' where 
K ranges over all 2n-bit strings, is indeed the superposition of all possible classical keys. 
Finally, the quantum Vernam cipher and the private; quantum channel have equivalent cii- 
coding and decoding operations, establishing the claim. Eve sees a cipher-text described 
by tracing out the subsystem {ai, • • • , a2n, 61, • • • , 62n}, which corresponds to averaging 
over all possible keys \K)\K). Following the discussion in Section 2.2, Eve sees the state 
7®"/2". Thus Eve obtains no information on p. 

In the absence of eavesdropping, the circuit in Fig. 2 acts trivially, so that p is recovered, 
and the key |$+)'^2n jg regenerated. We now consider the effects of eavesdropping. 

3. Eavesdropping and Error Correction 

Even though Eve obtains no information from the cipher-text, she may disturb, destroy, 
or alter it, and entangle her ancilla with the quantum key to be regenerated. In this section, 
we describe the effects of eavesdropping and a basic correction method, which are starting 
points for our discussions in Sections 4 and 5. 
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3.1. General eavesdropping and correction strategy 

We assume that the plain-text is initially disentangled from Eve. Eve's most general 
strategy is to apply a joint unitary operation U on the transmitted cipher-text and a 
pure state ancilla of hers, and send Bob "something" . We may assume she outputs the 
correct number of qubits as Bob can add or discard qubits. Note that there is no further 
communication from Eve to Alice or Bob. Thus subsequent action !F by Eve on her ancilla 
cannot change the superoperator £ that describes the transmission of the cipher-text. The 
situation is summarized as 
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— E 
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— B 



A A A A 

B B B B 



A convenient representation of £ is given by ^^'^^ 

£{p) =Y.e,iPipP] (3) 

ij 

where eij are entries of a positive matrix and the sum is over all Pauli matrices Pi on 
the n-qubit cipher-text. Equation (3) can be interpreted as a process that transforms a 
state p into a mixture D^pD]. where are noninterfering errors. Expressing each 
Dk as a linear combination of Pauli matrices, one obtains Eq. (3). The Pi in Eq. (3) thus 
represent errors that may interfere with each other Using the language of quantum 
error correction, we call the Pj Pauli errors. We now show that if Alice and Bob determine 
with high probability what Pauli error has occurred, their final state is almost disentangled 
from Eve. The process of determining the error is called syndrome extraction. 

The cipher-text is generally part of a state p obtained from encoding the plain-text 
with some ancilla. The state possessed by Alice and Bob after the transmission is given 
by 

(J ® £){p) = ® Pi)pil ® P^) (4) 

ij 

where the identity operator T acts on the uncommunicated subsystem. 

First suppose it is possible to perfectly distinguish the states (/ (S> Pi)p{I (S> P-) nonde- 
structively. Then, there is a projective measurement Q with projectors Qi such that 



i{j = i Qi{I ® Pj)p{I ® P])Qi = {I ® Pj)p{I ® P}) , (5) 

ifjVi Qi(I®Pj)p{I^P])Qi = . (6) 
Since p is positive, Eqs. (5) and (6) are equivalent to 

ifi = z Qi{I ^ Pj)p = (I ^ Pj)p , (7) 

iij^i Qi{I^Pj)p = 0. (8) 
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The projector Qi removes any term in Eq. (4) with a Pj for all j ^ i, leaving only the 
output (/ (g) Pi)p{I ® P}), which is independent of £ and disentangled from Eve. 

We will consider situations deviating from the above perfect scenario. For example, 
the measurement outcome i may be accompanied by some irreversible state change Oj. 
Moreover, the measurement may only distinguish subsets of errors or be probabilistic, so 
that multiple terms in Eq. (4) may remain in the final state. In any case, if a syndrome i is 
extracted with high probability, the post-measurement state has density matrix dominated 
hyOi{I<»Pi)p{I<»P})0\, and is almost disentangled from Eve. 

Suppose Alice and Bob reuse a private key obtained from {I®£){p) which is entangled 
with Eve. Eve can learn about the future communication or correlate different rounds of 
communicated materials only through the correlation with the reused private key. Such 
correlation is small when syndrome extraction succeeds with high probability, in which case 
Eve has little information on any nontrivial function on all the plain-text. Key recycling 
is then semantically secure A scheme is semantically secure if there is vanishing 
difference between the probabilities to estimate the value of any nontrivial function on the 
plain-text, with or without the cipher-text. 

3.2. Error correction for the quantum Vernam cipher 

Recall that it suffices to identify the Pauli error that occurs in the cipher-text. We show 
how this can be done perfectly in the quantum Vernam cipher. We use the fact that Fig. 2 
acts trivially, and the commutation relations 



-x-x-x- -X- -z-z-z- -z- 



x-z-x- -z- -z-x-z- -X- 



Z 



to find the effect of errors on the cipher-text for the one-qubit protocol: 



X- Z -X- Z -X 
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An X error in the transmitted cipher-text propagates to the decoded message together 
with a Z error on 62, changing {02,62} from |$^) into l^""). Likewise, a Z error turns 
{ai,6i} into |$~) and an XZ error turns both EPR pairs into |$~). Alice and Bob 
can distinguish l^*"*") from |$~) by independently measuring their halves of the EPR pair 
along the |±) = -^(|0) ± |1)) basis and comparing their results on a broadcast channel. 

Since |$+) = -^(1 + +) + | )) and |$") = -^(1 + -) + | - +)), the measured state is 

l^""*") (|$~)) when their results agree (disagree). Therefore, the possible Pauli errors /, X, 
Z, and XZ can be perfectly distinguished and corrected. The same argument applies to 
transmitting n qubits. 

We emphasize that this detection procedure effectively turns Eve's most general action 
into a Pauli error. An example to recover the message without the cipher-text is given in 
Appendix B. 



4. Key Recycling 

We have seen that the EPR pairs in the quantum Vernam cipher can be measured to 
extract the exact error syndrome. We now show that, when many qubits are sent, it 
is possible to use less entanglement (per qubit) for syndrome extraction with very high 

probability. The remaining EPR pairs can be recycled, with semantic seciirity. We show 
strong evidence that security is due to transmitting a quantum cipher-text, rather than 
using entanglement as the key, by modifying the private quantum channel to recycle a 
classical key. 



4.1. Recycling quantum key 

Recall that after sending n qubits with the quantum Vernam cipher, Alice and Bob share 
2n EPR pairs either in l^*"*") or |$~), in a one-to-one correspondence with the Pauli error 
in the cipher-text. Syndrome extraction is equivalent to learning the identity of these 
EPR pairs. Asymptotically, this can be done in two steps. The first step, adapted from 
Ref. 5, is a preliminary test for eavesdropping by testing if the EPR pairs are 1$)®^". 
Without indication of eavesdropping, the decoded state is accepted, and the EPR pairs 
are recycled. Otherwise, a second step is performed to find the identity of the EPR pairs 
by a random hashing method adapted from Ref. 16. This procedure applies to the most 
general eavesdropping strategy. 

Let the identity of the 2n EPR pairs be represented by a 2n-bit string v, with and 1 
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corresponding to |$^) and |$^) •'^ Wc first describe a useful protocol to obtain the parity of 
a subset of bits in v. The "bilateral XOR" (bxor), defined as CNOXaja^ x CNOTftjb^ ,® effects 
the transformation: 

!$+)!$+) ^ !$+)!$+) , |$-)|ci>-)^ !$+)!$-), 

, |$-)|$+)^|$-)|$+), 

where the qubits are ordered as ai, 61, 02, 62. The control pair (ai, 61) becomes the parity 
of the two pairs. Likewise, the parity of a subset {si,S2, S3, • • •} can be found by applying 
BXOR from an extra j^"*") to all of {si, S2, S3, • • •}. 

For the preliminary test for eavesdropping, let r be a security parameter. Alice and 
Bob pick r random subsets of v and find their parities using r extra l^"*")-^ If v = 0, 
all subsets have even parities. Otherwise, each random subset has equal probability to be 
odd or even, and the probability of obtaining only even parities is 2~'". 

If all r parities are even, Alice and Bob recycle the 2n-ebit key. The probability for 
Alice and Bob to miss an error in the decoded message and recycle a compromised key is 

Prob(pass and erroneous) < Prob(pass| erroneous) = — 

which can be made arbitrarily small by choosing a sufficiently large r. 

If any subset has odd parity, Alice and Bob determine v as follows. The distribution of 

V is generally unknown. However, Alice and Bob can estimate the Hamming weight ^ of 

V by sampling r2 random bits of v. How r2 depends on the security level can be found 
as follows. If the Hamming weight of v is an, and ar2 I's are sampled, Chebyshev's 
inequality impHcs V(5 > Prob(|a — a\ > S) < j^:^-^ Hence Ve > 0, choosing r2 > 
guarantees Prob(a G {a — 6, a + 6)) > 1 — e. Thus with probability larger than 1 — e, 
v G T the typical set of a binomial distribution with bias a and with size no greater than 
22nff(a+(5) Hq^c, H dcnotcs the binary entropy function and for simplicity a + 5 < i. 
As each random subset parity eliminates about half of the possible values of v, v can be 
identified with rs w 2nH{a + 5) random subset parities. Approximately 2n(l — H{a + 5)) 
EPR pairs can be recycled with vanishing correlation with Eve. 

Note that the preliminary test uses r ebits, and the second step uses r2 + r-^ ebits. 
Since r and are independent of n, they are negligible for asymptotically large n. In 
contrast, oc n. This is the reason for splitting the procedure into two steps. Finally, we 
use classical probabilities throughout the discussion since measurements are only made in 
the basis ^. 



This representation is a simplified version of that in Ref. 16. 

The first and second subseripts denote the eontrol and target bits. 
^ These extra |<^^) are unnecessary but they simplify the procedure. 
SThe Hamming weight is the number of Is in a bit-string. 

'^The test bits are identically distributed, and negatively correlated, so that Chebyshev's inequality applies. 
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4.2. Recycling classical key 

To illustrate that secure recycling is not a property special to entanglement, we adapt a 
scheme in Rcf. 15 to recycle the classical key in the private quantum channel. The main 
idea is to add known test qubits to detect errors effectively. Specifically, consider sending 
n qubits with security parameter r. Alice encodes the n qubits with a 2n-bit classical key 
as in the original scheme described in Section 2.2. She appends to the data qubits 2r test 
qubits, called xi, - ■ ■ ,Xr, zi, - ■ ■ , Zr, in the state |0)®'"|+)®''. Each test bit may be flipped 
|0) |1), 1+) |— ) depending on a 2r-bit classical key. In addition, she picks 2r random 
subsets 5x1, • • • , Sxr, S^i, - ■ ■ , Szr of the n data qubits. For each i, a cnot is applied from 
each qubit in Sxi to Xi. Likewise, a CNOT is applied from Zi to each qubit in Szi- Alice also 
picks r random subsets T^i,- ■ ■ , T^r of {zi,- ■ ■ , Zr} and applies a cnot from each Zj G T^i 
to Xi} Then, she sends all n + 2r qubits to Bob. After Bob announces receipt of all the 
qubits, Alice announces all 3r subsets. Bob decodes by inverting Alice's operation. If the 
test qubits arc in the state |0)®"|+)®", he accepts the decoded data qubits and recycles 
the classical key. The main idea behind the modification is illustrated in Fig. 3. 



Pi 

P2 



Sx\ 



-lh_ 



-H- 



-7^ 



Pn Vn 



|0) —Vr^^ 



-a — ^ 
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-+1 
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-7^ 
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Fig. 3. The modified private quantum channel, pi , ■ • 
key, Ui = I, X, Z, or XZ, Ui,...,r = IorX, and Ur+i, 
related to Sxi, S^i, and T^i, with Sxi = {1,2}, S^i - 
symbol // denotes a qubit in transit (and at risk). 



B 



, Pn are n data qubits. Depending on the 

• ,2r = I or Z. Wc only show the operations 
{m,n}, and T^i = {1} as examples. The 



' Note that Txi, - ■ ■ , T^r also define r random subsets T^i , • • • , T^r ot xi, - ■ ■ ,Xr such that a cnot is applied 
from Zj to each Xi 6 T^j. 
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If no error occurs to the (n+2r)-qubit cipher-text during transmission, the test qubits 
are always decoded as |0)'^''|-|-)'^''. However, if a nontrivial PauH error occurs, the test 
qubits are not decoded as |0)®''|-|-)®'' with probabiUty higher than 1 — 2^^. To see this, 
decompose the Pauh error into its X and Z components, and without loss of generality, 
the X component is nontrivial. The overall effect of the extra CNOT can be found using 
the commutation relations in Section 3.2. An Xj during transmission becomes Xj and an 
extra X^. on the original cipher-text if j G Sxi- Likewise, X^^ becomes X^. with an extra 
Xxi if Zj E Txi- An Xxi decodes to itself. Thus .r,; has an overall X error if an odd number 
of X occurs to Sxi U Txi U .t, . As any nontrivial tensor product of X errors is equally likely 
to act on an even or odd number of qubits in a random subset, the probability for xi, ■ ■ •, 
Xr to decode to \0)^^ is 2"''. A Z error is propagated to the Zi similarly. Note that the X 
and Z components act independently on the test qubits, and the Xi are unaffected by Z 
errors and the Zi are unaffected by X errors. This completes the proof that any nontrivial 
Pauli error is undetected with probability no more that 

We now prove the security of key recycling against the most general eavesdropping 
strategy. Using the framework of Section 3.1, let the received cipher-text be £{p) = 
^ijPipPj ■ Let Pq be the identity Pauli error. Each set of random subsets corresponds 
to a detection scheme that distinguishes a set of Pauli errors Vi from its complement, and 
Pq e ■P/. The accepted output is £a{p) oc J2pi p,eP/ ^ijPipPj ■ Averaged over the random 
subsets, the unnormalized accepted state is given by 

Saip) = ^CijeijPipP] (9) 

ij 

where Cij < except for cqo = 1- 

The recycling scheme is secure if there is vanishing probability for Eve to obtain a 
nonvanishing amount of information, Ievb, on the recycled bits. Since the keys are recycled 
only if the state is accepted, we only need to show that the following is vanishing for any 
nonvanishing threshold /thres 

Prob (accept and /sve > -^thres) = Prob (accept) x Prob(/Eve > -^thresl accept) . (10) 

We now show that one of the two factors in Eq. (10) has to vanish when r is sufficiently 
large. Using the normalization of the accepted state in Eq. (9), Prob(accept) < eoo + 
2~'"(1 — eoo) can be made vanishing unless eoo is nonvanishing. In this case, we can show 
that Prob(JEvc 5^ -^thrcsl accept) is vanishing. The amount of information /evo is bounded 
by the entropy of Eve's reduced density matrix, which in turns is bounded by the entropy 
of £a{p)/ti:{£a{p)) when maximized over pure input states p. Rewriting the unnormalized 
state <fa(|V)(VI): 

£:„(|V)(^|) = eoo|^)(V|+ E c,,e..p.|V,)(^|p;, (11) 

(*,j)#(o,o) 

it can be verified that, when eoo is nonvanishing, increasing r makes the second term vanish, 
and f a ( I ^) (V' I ) /tr {£a ( I ^) (V' I ) ) is arbitrarily close to | V") (V' I and has vanishing entropy. Thus 
/Eve lias to vanish, and same for Prob(/Eve > ithres] accept) for any finite /thres- 
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5. The Quantum Vernam Cipher and Secret Sharing 

We now explain the properties of the quantum Vernam cipher in terms of general connec- 
tions between secret communication and secret sharing i*^'!!. A (classical or quantum) 
secret sharing scheme divides a secret into shares. The secret is retrievable only with 
enough shares, which form the authorized sets. Other sets are unauthorized. In general, 
unauthorized sets can have partial information. We restrict to perfect schemes in which 
unauthorized sets have no information. A (fc, n) threshold scheme is a perfect scheme in 
which any k out of n shares form an authorized set. In addition to the usual properties, 
quantum secret sharing schemes also obey the no-cloning theorem so that complements 
of authorized sets are unauthorized. Finally, in pure state perfect quantum secret sharing 
schemes, complements of unauthorized sets are authorized. 

Any private key encryption scheme (classical or quantum) which conveys a message 
from Alice to Bob but conceals it from Eve is a secret sharing scheme. The secret is 
divided into three shares: A and B arc private shares for Alice and Bob, and E is the 
share communicated from Alice to Bob. Thus A and B represent the key, and E represents 
the cipher-text. By definition, {A,E} and {B,E} are authorized while B and E are 
unauthorized. In a quantum cipher, A is unauthorized. If additionally, the scheme is 
pure, {A,B} is authorized: the scheme is a (2,3) threshold scheme. 

The quantum Vernam cipher is an example of pure state threshold scheme described 
above. Entanglement is regenerated because A and B are identical shares. Errors on E are 
correctable because {A, B} is authorized. Furthermore, in the quantum Vernam cipher: 
(1) Alice can encode an unknown message and her half of the key into the correctly 
distributed shares all by herself, and (2) errors on E are correctable using only local 
quantum operations and classical communication (LOGO) between Alice and Bob. We 
now characterize secret sharing schemes with these two properties. Property (i) holds 
for all pure state quantum secret sharing schemes in which the reduced density matrix 
of B is maximally mixed. This follows from the proof of the impossibility of quantum 
bit commitment that two pure states with the same reduced density matrix in Bob's 
system can be transformed to each other by unitary operations acting outside Bob's system. 
Property {2) holds asymptotically if the entanglement between A and B (in ebits) in the 
secret sharing scheme is at least twice the size of E (in qubits). This follows from comparing 
the number of errors to be distinguished with the amount of information obtainable in the 
random hashing method 

As an example to construct a cipher from a secret sharing scheme with the above 
characterization, consider the (2,3) threshold scheme obtained from the 5-qubit 1-error 
correcting code i^^^o^ -^y assigning two qubits to each of A and B, and one qubit to E. 
The encoding circuit Uenc can be specified by how the stabilizer and the encoded opera- 
tions evolve As Uenc is in the Clifford group a circuit implementing Uenc can be 
constructed using a scheme in Ref. 31. The decoding circuit can be constructed similarly. 
The cipher obtained is shown in Fig. 4. 

We find from Fig. 4 that the four possible Pauli errors in the cipher-text correlate with 
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E 



B 



Fig. 4. The 5-bit code as a quantum cipher. In the circuit, Y = iXZ, H = -^{X + Z), and a 
vertical line with x in both ends is a swap operation. 



the EPR pairs being |$+)®^ |$-)^^ |*+)®^ and where = ^(|01)±|10)). 

The four cases are distinguishable by LOCC. 

Cleve derived another example of a cipher from a secret sharing scheme (Ap- 
pendix C). It is a (2,3) threshold scheme in which all three shares are 3-dimensional. 
Errors on E cannot be corrected with LOCC, unless extra entanglement is available to 
Alice and Bob. On the other hand, this cipher requires less entanglement to conceal the 
message. 

We can apply the connections between secret sharing and secret communication to 
the private quantum channel and teleportation (sec also Appendix D) which encrypts a 
quantum plain-text to a classical cipher-text using a quantum key.J In teleportation, after 
Alice's measurements, E is the outcome (fci, /e2) to be communicated and B is the quantum 
state Z^^X'^^\')p) possessed by Bob. In the private quantum channel, A = B = (fci,A;2) 
is the classical key, and E = Z'^^ X'^^lip) is the communicated quantum state. Viewing 
A and B in the second scheme as one share, both schemes are the same (2, 2) thresh- 
old scheme with the quantum and classical shares interchanged. As a mixed state (2, 2) 
scheme, errors on one share is not correctable, as we have seen in the private quantum 
channel. However, in teleportation, the classical share is broadcast and no correction is 
needed. Finally, the quantum Vernam cipher, with the three shares forming the state 
h Z^fcifcs l^'i^^'^) 1^1 ^2) Z'^^X'^'^lip) is just the purification of the (2,2) scheme. 

6. Conclusion 

We have analyzed two important properties of the quantum Vernam cipher, the security 
of recycling keys and the reliability of the transmission, and have made comparisons with 
other related schemes. These results are summarized and extended to other existing 
schemes in the following table which is explained next. 



J Teleportation paradoxically communicates quantum states securely without quantum communication. 
The closely related remote state preparation 33,34 m^y not be secure. 

'^This provides an alternative proof for the lower bound of the classical key size, since an important classical 
share is at least twice the size of the quantum secret H-^s 
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Type 


Example 


Security of 


Reliability 


CKM 




key recycling 




ccc 

V V V 


v^lcLoolCdil Ullc- Ullllc-pdiU 


A 


/ 

V 


CCQ 


Impossible 






CQC 


Entanglement based 


X 






key distribution ^ 






CQQ 


Teleportation 


X 


^/ 


QCC 


Eavesdrop-dctecting channel 




X 


QCQ 


Private quantum channel 




X 


QQC 


Superdense coding 




X 


QQQ 


Quantum Vernam cipher 




^/ 


QOC 


BB84 2 






QOQ 


Establishing entanglement 







* Requires quantum back-communication. 

In the table, the type of cryptographic protocol is specified by three elements: the 
communication channel (which is of the same type as the cipher-text C), the key K, and 
the message M to be conveyed. A 3-alphabet string represents these three elements in 
order. Q, C, and respectively stand for the element being quantum, classical, and non- 
existing. The first property in question is the security of key recycling and the second 
property is reliability - whether the correct message is received with high probability. The 
security properties are based on Alice and Bob having an unjammable 2-way classical 
broadcast channel. 

We can extrapolate the properties of the specific examples to classes of ciphers. For 
example, due to the use of an unjammable classical broadcast channel, all ciphers of the 

type C are reliable. In contrast, ciphers of the type Q are susceptible to errors, 

unless a large quantum key is available, such as in the quantum Vernam cipher. Since 
in the worst case the quantum channel is jammed, a general recovery procedure would 
involve LOCC and is effectively of the type CQQ (though the exact protocol needs not 

be teleportation). The very same unjammable classical channel in C cannot detect 

for eavesdropping, and used key can be compromised. The susceptibility in the quantum 
channel in Q — is also the reason why it can detect eavesdropping and reject compromised 
keys. This quantum feature also allows key distribution to be possible. 

The seciire properties of the quantum Vernam cipher come at a price - it requires a 
quantum channel and pre-shared entanglement. In fact, for the same resources, one can use 
the quantum channel to establish entanglement and use the entanglement to teleport the 
state. The two methods arc compared in Appendix E. We are not aware of a circumstance 
in which QQQ is more efficient than the hybrid method QOQ + CQQ. This is not surprising 
in view of the above discussion, since the hybrid method exploits the advantages of both 
types of ciphers. 

We have ensured security in key recycling by detecting errors in the cipher-text. This 
objective is very similar to that of message authentication - to reject a forged or altered 
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message with high probabihty. For example, our modification to the private quantum 
channel described in Section 4.2 can be viewed as an authentication step for the encrypted 
quantum message. For authentication, all Ui in Figure 3 can be omitted. The test qubits 
can detect both forging and tampering with high probability due to the random flip based 
on the 2r-bit classical key. Forging succeeds with probability no better than and 
the fidelity of an accepted message with respect to the origin cipher-text is of order 1 — 
0(2~'"). This means that authenticating n qubits given an insecure quantum channel 
and an authenticated 2-way classical channel requires only 2r bits of classical key and 
an extra 2r qubits of quantum commTinication. We can also drop the assumption of 
authenticity in the classical communication given a larger key to classically authenticate 
the classical messages, for example, using the Wegman-Carter method Recently, 
authentication protocols for quantum message using a classical key but no additional 
classical communication arc proposed 1^,13^ 

Returning to the connection with secret sharing, we have seen that in the quantum 
Vernam cipher, the quantum secret can be unlocked from an authorized set using only 
LOCC between the parties. Under the same conditions, hardly any information can be 
obtained in a recently proposed scheme to share a classical secret. It will be interesting 
to understand the origin of such differences. It might be related to the amount of entan- 
glement shared between the parties in the secret sharing scheme, and further investigation 
is underway. More generally, secret sharing schemes have mostly been analyzed assuming 
no or full cooperation between the different parties, and the security under LOCC remains 
an interesting area to be explored. 
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Appendix A. Definitions of some Ciphers 

We briefly describe the ciphers which are not reviewed elsewhere in this paper: 

• Entanglem,ent based key distribution Alice and Bob share a large number of I'l'''"). 
They measure their halves of the EPR pairs independently in the {|0), |1)} basis. 
Their measurement results can be used as keys. If Alice and Bob are given a quan- 
tum channel instead, they first establish pure entanglement with the standard test 
procedures. 

• BB84. Alice sends to Bob {|0), |-|-), |— )} chosen at random, and Bob measures 
them in random basis {|0), |1)} or {|+),|— )}• They subsequently announce their 
bases. Only the mcasiircmcnt results obtained in the matching basis arc used. A 
sufficient number of the results are announced and compared to test for eavesdrop- 
ping. Upon passing the test, privacy amplification is applied to the results not 
announced to establish classical keys. 

• Superdense coding Alice and Bob share one copy of \^'^)- Alice can send 2 classical 
bits ci,C2 securely to Bob as follows. Alice applies X'^^Z'^^ on her half of j^"*") and 
sends it to Bob. Bob can determine ci, C2 by a Bell measurement on both qubits. 

Appendix B. Recovery of Message without the Cipher-text 

Without loss of generality, let the message be |'^) = a|0) -|- b\l). Ordering the registers as 
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(ai, 61, a2, 62, m), the system has initial state |$+)|$+)|'^). The state changes: 

10000) + 10011) + |1100) + |1111) ] (a|0) + 6|1)) 
|0000)(a|0) + 6|1)) + |0011)(a|0) - 6|1)) 



+ |1100)(o|l) + b\0)) + |llll)(-a|l) + 6|0)) ] 
a(|0000) + |0011)) + 6(|1100) + |1111)) ] 

&(|0000) - 10011)) + a(|1100) - |1111)) ] 

a(|0000) + |0011))|0) + 6(|1100) + |1111))|1) ] 

6(|0000) - |0011))|0) + a(|1100) - |1111))|1) ] 

(|00) + |ll))(|00) + |ll))(a|G) + 6|l)) 
-(|00)-|ll))(|00) + |ll))(a|0)-6|l))] 
(|00) + |ll))(|00)-lll))(&|0)+a|l)) 
.(|00)-|ll))(|00)-|ll))(6|0)-a|l))] 



(B.l) 



(B.2) 



(B.3) 



(B.4) 



describe the encoding (Eq. (B.l)), the removal of m (Eq. (B.2)), and the decoding by Bob 
after he substitutes |0) for m (Eq. (B.3)). The ® denotes a mixture of states: (Bi\fpi) = 
\ipi){'tpi\. The decoded state is rewritten in Eq. (B.4), to which the syndrome measurement 
described in Section 3.2 is apphcable. 

Appendix C. Quantum Secret Sharing Scheme as Secure Quantum Channel 

We describe another cipher due to Cleve constructed from a (2, 3) threshold quantum 
secret sharing scheme. The plain-text \tp) = a\0) +/3|1) +7|2) is a three dimensional state 
(a qutrit). We define the following gates acting on qutrits: 




10 




3) —Q— 



where sums and differences are taken modulo 3. The proposed scheme can be represented 
by the following circuit: 

A 











• ^ II • 

B , 
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in which the maximally entangled state is "^(|00) + |12) + |21)), A, B represent the 
private shares of Alice and Bob, and / / represents a transmission from Alice to Bob. The 
regenerated entangled state is explicitly marked. Encoding is performed locally by Alice. 
As a (2, 3) threshold scheme, any error in the transmitted qutrit is correctable. However, 
correction cannot be performed using only LOCC operations by Alice and Bob. To sec 
this, we first rearrange the qutrits in the circuit and redefine the maximally entangled 
state as 4s(|00) + |11) + |22)). 



A 



B 



IV') — e- 



-H- 



-e IV') 



We can now easily find the effect of an error £ during transmission, for the following 
circuits are equivalent: 







p — 

B - 








£ 




J • 








p 


— 1 





B 



®- 



-e 



Wc consider an error basis on a qutrit generated by X and Z where X\j) = + and 
-^b) = e^'^*-'/^|j). Using the commutation relations 



X 



X 



-@-z- 
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the overall effects due to the errors X* and can be obtained: 



X- 





X-2t 









The 9 possible errors arc correlated with 9 orthogonal maximally entangled states, which 
are globally distinguishable but indistinguishable with LOCC, or else Alice and Bob can 
identify maximally entangled states from the maximally mixed state and distill entangle- 
ment out of nothing. 

Appendix D. Teleportation 

Without loss of generality, consider the teleportation of a pure state l'^) = a|0)-|-6|l) using 
the following circuit: 



H 



^ k 




It is easily verified that the initial state -^(a|0) + 6|1))(|00) + |11)) is transformed to 



-[|00)(a|0) + 6|l)) + |01)(a|0)-6|l)) 
+ |10)(a|l) + 6|0)) + |ll)(-a|l) + 6|0)) 



(D.l) 
(D.2) 
(D.3) 



right before measurement. The measurement results fci, ^2 are sent over a classical channel 
to recover lib). 



Appendix E. Comparison of Resources 

We compare the asymptotic resources required to send n qubits securely by (1) the quan- 
tum Vernam cipher (QQQ) and (2) establishing entanglement and tclcporting (QOQ + 
CQQ). We compare the net amount of entanglement consumed, allowing both schemes 
n uses of an insecure quantum channel and unlimited uses of a 2-way classical broadcast 

channel. The quantum Vernam cipher uses 2n(l — F) ebits where F is the recyclable frac- 
tion of entanglement. Teleportation uses n(l — D2) ebits where nD2 ebits are distillable 
from n uses of the quantum channel. Hence, teleportation is more efficient if and only if 
F<{1 + D2)I2. 
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In the following comparisons, we use more optimal recycling strategies than that in 
Section 4.1. Without eavesdropping, F w Z)2 ~ 1. If Eve measures every qubit in the 
computation basis, Z occurs randomly. Hence D2 = and F = 1/2 since the EPR pairs 
detecting X errors are intact. If /, X, Z, XZ occur with probabilities 1/2, 1/6, 1/6, 

1/6, i?2 = and F = 0.1037. For a completely random Pauli channel, D2 = F = 0. 
Hence for the first two cases, the two methods are equally efficient. For the last two cases, 
teleportation is much more efficient. 



